From WebTV Wiki
Revision as of 22:36, 31 May 2021 by imported>Admin (Flesh out ticket types information)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
OverviewList of WTVP ServicesWTVP-specific Content-TypesStatus Codes
TokensTicketsCapability Flags
Header ListData TypesCommon Request Headers
First-Time RegistrationHeadwaiter (Login)Messenger ServicesFavoritesChecking for new mailRetrieving settingsObtaining new wtv-ticketsSmart CardMiscellaneous
URLs for WTVP Services

A ticket is a piece of opaque data that, to put it simply, authorizes client sessions on a server. In WTVP, they are used to authorize user sessions throughout the entire WebTV/MSN TV service after a user logs in.


After a box logs in through the headwaiter service, it receives among other data an opaque value through the server's responses, residing in the header wtv-ticket. For any further services a box would like to connect to, it will have to send the ticket in a wtv-ticket header first to authorize access for its current session.

The lifetime of these tickets are unknown as of writing, but we for sure know they aren't indefinitely available as there has been a service recorded to renew tickets for box sessions.


WebTV/MSN TV's tickets can technically take on any value and can be generated in any way the underlying service sees fit. For the official service, though, tickets are Base64-encoded BLOBs, that when decoded expose binary data. According to internal Microsoft documents, the actual tickets are encrypted "with a service key" [1] and the encrypted form is what is likely sent between boxes and frontend servers. While the algorithm used for encrypting tickets is at the moment, unknown, the key used to encrypt the ticket is currently believed to be a 128-bit key. The original key used in production, according to our sources, had not been changed for the duration of the WebTV/MSN TV service's life.

When decoded, it is believed the tickets look something like this:

38/|9/|wtv-user-id/|129517092/|12/|wtv-user-name/|AR_129517089/|2/|wtv-human-name-first/|AR/|9/|wtv-human-name-last/|129517089/|11/|ip/||1/|wtv-chat-restriction/|0/|1/|user-is-the-subscriber/|1/|5/|wtv-messenger-authorized/|false/|14/|user-list/|1,129517092;1,/|3/|wtv-programs/|one/|6/|wtv-subscriber-category/|normal/|12/|ANI/|950000000000/|5/|subscriber-zip/|11111/|2/|subscriber-country/|US/|2/|tricks-access-level/|40/|1/|traxs-temp-access/|0/|8/|traxs-time-stamp/|5d8c5060/|8/|traxs-passwd-hash/|873241cb/|13/|subscriber-billing-address/|463 Bryant St/|12/|subscriber-billing-city/|Redwood City/|2/|subscriber-billing-state/|CA/|12/|subscriber-phone-day/|123-456-7890/|2/|subscriber-billing-status/|ok/|1/|subscriber-is-canceled/|0/|1/|service-tier/|1/|9/|wtv-subscriber-id/|129517089/|16/|wtv-client-serial-number/|n00b_for_life_04/|2/|wtv-printer-mfr-code/|-1/|2/|wtv-printer-model-code/|-1/|1/|wtv-printer-black-pen-code/|0/|1/|wtv-printer-color-pen-code/|0/|9/|wtv-client-time-zone/|PST -0800/|2/|session-country/|US/|24/|wtv-session-key1/|Q1VecbKp43JKN9Z57/6pQg==/|24/|wtv-session-key2/|13fF8748HiDyxzTd/I4rXw==/|21/|wtv-user-connection-id/|1; 5D8C5060:0007967E;/|21/|wtv-user-session-id/|1; 5D8C5055:000E4215;/|32/|wtv-MD5-digest/|9d4a78043e666b70709a391e20ecb559/|

From what we can infer, this format stores properties pertaining to a subscriber/user's account, billing, and session information. All individual data is separated by a delimiter (/|), and to define the amount of properties available, the first field is the number of properties in the current ticket.

Properties themselves are stored as delimited type-length-value tuples:

|  value length  |  property type  |  property value  |

Known Ticket Property Types

Name Type Description
ANI string ???
wtv-chat-restriction integer ???
wtv-client-serial-number string SSID linked to ticket.
wtv-client-time-zone string Time zone. Not sure if it's of the subscriber/user's location or the service.
wtv-human-name-first string First name of account linked to the ticket.
wtv-human-name-last string Last name of account linked to the ticket.
ip string IP address (possibly of the active account).
wtv-MD5-digest string ???
wtv-messenger-authorized boolean Possibly a flag for whether Messenger is enabled on the WebTV/MSN TV account.
wtv-printer-black-pen-code integer ???
wtv-printer-color-pen-code integer ???
wtv-printer-mfr-code integer ???
wtv-printer-model-code integer ???
wtv-programs string ???
service-tier integer ???
session-country string ???
wtv-session-key1 BLOB First RC4 session key (client -> server) for the WebTV/MSN TV user's session. Used for SECURE communication in WTVP. Also present in the wtv-challenge from the headwaiter challenge/response process.
wtv-session-key2 BLOB Second RC4 session key (server -> client) for the WebTV/MSN TV user's session. Used for SECURE communication in WTVP. Also present in the wtv-challenge from the headwaiter challenge/response process.
subscriber-billing-address string Billing address of WebTV subscriber.
subscriber-billing-city string City the WebTV subscriber resides in.
subscriber-billing-state string State the WebTV subscriber resides in.
subscriber-billing-status string ???
wtv-subscriber-category string ???
subscriber-country string Country the WebTV subscriber resides in.
wtv-subscriber-id ??? ???
subscriber-is-canceled boolean ???
subscriber-phone-day string Phone number of WebTV subscriber.
subscriber-zip integer ZIP code of WebTV subscriber.
traxs-temp-access integer(?) ???
traxs-time-stamp string ???
traxs-passwd-hash string ???
tricks-access-level integer Related to access level to Tricks service(?). Need more documentation on this.
user-is-the-subscriber boolean Flag that specifies if the user linked to the ticket is the subscriber(?).
wtv-user-connection-id string ???
wtv-user-session-id ??? ???
wtv-user-id string Possibly the user ID of the account linked to the ticket.
wtv-user-name string Username of account linked to the ticket.
user-list string ???


While not directly related to tickets, there is another authorization value sent by the headwaiter when a box logs in: wtv-service-cookie. At the moment the use of this value is unknown, but the form of this value sent to the box (Base64-encoded BLOB) is encoded in a way similar to tickets. When decoded, they have data formatted like this:


While using a scheme similar to decoded tickets, the format of the decoded service cookies are unclear, and unless we get a hold of more insider information, we might never know.